mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 09:46:53 +01:00
96 lines
4.1 KiB
Plaintext
96 lines
4.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/configuring-cluster-wide-proxy.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="cluster-wide-proxy-prereqs_{context}"]
|
|
= Prerequisites for configuring a cluster-wide proxy
|
|
|
|
To configure a cluster-wide proxy, you must meet the following requirements. These requirements are valid when you configure a proxy during installation or postinstallation.
|
|
|
|
[discrete]
|
|
[id="cluster-wide-proxy-general-prereqs_{context}"]
|
|
== General requirements
|
|
|
|
* You are the cluster owner.
|
|
* Your account has sufficient privileges.
|
|
ifdef::openshift-rosa[]
|
|
* You have an existing Virtual Private Cloud (VPC) for your cluster.
|
|
endif::openshift-rosa[]
|
|
ifdef::openshift-dedicated[]
|
|
* You have an existing Virtual Private Cloud (VPC) for your cluster.
|
|
* You are using the Customer Cloud Subscription (CCS) model for your cluster.
|
|
endif::openshift-dedicated[]
|
|
* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy is also accessible from the VPC for the cluster and from the private subnets of the VPC.
|
|
* You have added the following endpoints to your VPC endpoint:
|
|
** `ec2.<aws_region>.amazonaws.com`
|
|
** `elasticloadbalancing.<aws_region>.amazonaws.com`
|
|
** `s3.<aws_region>.amazonaws.com`
|
|
+
|
|
These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works at the container level and not at the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not enough.
|
|
+
|
|
[NOTE]
|
|
====
|
|
When using a cluster-wide proxy, you must configure the `s3.<aws_region>.amazonaws.com` endpoint as type `Gateway`. Also, you can configure the `ec2.<aws_region>.amazonaws.com` and `elasticloadbalancing.<aws_region>.amazonaws.com` endpoints only as type `Interface`.
|
|
====
|
|
|
|
[discrete]
|
|
[id="cluster-wide-proxy-network-prereqs_{context}"]
|
|
== Network requirements
|
|
|
|
* If your proxy re-encrypts egress traffic, you must create exclusions to the domain and port combinations. The following table offers guidance into these exceptions.
|
|
+
|
|
--
|
|
** Your proxy must exclude re-encrypting the following OpenShift URLs:
|
|
+
|
|
[cols="6,1,6",options="header"]
|
|
|===
|
|
|Address | Protocol/Port | Function
|
|
|`observatorium-mst.api.openshift.com`
|
|
|https/443
|
|
|Required. Used for Managed OpenShift-specific telemetry.
|
|
|
|
|`sso.redhat.com`
|
|
|https/443
|
|
|The https://cloud.redhat.com/openshift site uses authentication from sso.redhat.com to download the cluster pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, and chargeback reporting.
|
|
|===
|
|
+
|
|
** Your proxy must exclude re-encrypting the following site reliability engineering (SRE) and management URLs:
|
|
+
|
|
[cols="6,1,6",options="header"]
|
|
|===
|
|
|Address | Protocol/Port | Function
|
|
|`*.osdsecuritylogs.splunkcloud.com`
|
|
|
|
**OR**
|
|
|
|
`inputs1.osdsecuritylogs.splunkcloud.com`
|
|
`inputs2.osdsecuritylogs.splunkcloud.com`
|
|
`inputs4.osdsecuritylogs.splunkcloud.com`
|
|
`inputs5.osdsecuritylogs.splunkcloud.com`
|
|
`inputs6.osdsecuritylogs.splunkcloud.com`
|
|
`inputs7.osdsecuritylogs.splunkcloud.com`
|
|
`inputs8.osdsecuritylogs.splunkcloud.com`
|
|
`inputs9.osdsecuritylogs.splunkcloud.com`
|
|
`inputs10.osdsecuritylogs.splunkcloud.com`
|
|
`inputs11.osdsecuritylogs.splunkcloud.com`
|
|
`inputs12.osdsecuritylogs.splunkcloud.com`
|
|
`inputs13.osdsecuritylogs.splunkcloud.com`
|
|
`inputs14.osdsecuritylogs.splunkcloud.com`
|
|
`inputs15.osdsecuritylogs.splunkcloud.com`
|
|
|tcp/9997
|
|
|Used by the splunk-forwarder-operator as a log forwarding endpoint to be used by Red Hat SRE for log-based alerting.
|
|
|
|
|`http-inputs-osdsecuritylogs.splunkcloud.com`
|
|
|https/443
|
|
|Used by the splunk-forwarder-operator as a log forwarding endpoint to be used by Red Hat SRE for log-based alerting.
|
|
|===
|
|
--
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
The use of a proxy server to perform TLS re-encryption is currently not supported if the server is acting as a transparent forward proxy where it is not configured on-cluster via the `--http-proxy` or `--https-proxy` arguments.
|
|
|
|
A transparent forward proxy intercepts the cluster traffic, but it is not actually configured on the cluster itself.
|
|
====
|